Re-implement forgot password

app/main/dao/users_dao.py

@@ -64,11 +64,6 @@ def is_email_unique(email_address):
             raise ex
 
 
-def request_password_reset(user):
-    user.state = 'request_password_reset'
-    user_api_client.update_user(user)
-
-
 def send_verify_code(user_id, code_type, to):
     return user_api_client.send_verify_code(user_id, code_type, to)
 

app/main/views/forgot_password.py

@@ -1,25 +1,22 @@
 from flask import (
     render_template,
-    flash
 )
+from notifications_python_client.errors import HTTPError
 
 from app.main import main
-from app.main.dao import users_dao
 from app.main.forms import ForgotPasswordForm
-from app.notify_client.sender import send_change_password_email
+from app import user_api_client
 
 
 @main.route('/forgot-password', methods=['GET', 'POST'])
 def forgot_password():
-
     form = ForgotPasswordForm()
     if form.validate_on_submit():
-        if not users_dao.is_email_unique(form.email_address.data):
-            user = users_dao.get_user_by_email(form.email_address.data)
-            users_dao.request_password_reset(user)
-            send_change_password_email(form.email_address.data)
-            return render_template('views/password-reset-sent.html')
-        else:
-            return render_template('views/password-reset-sent.html')
+        try:
+            user_api_client.send_reset_password_url(form.email_address.data)
+        except HTTPError as e:
+            if e.status_code != 404:
+                raise e
+        return render_template('views/password-reset-sent.html')
 
     return render_template('views/forgot-password.html', form=form)

app/main/views/new_password.py

@@ -1,22 +1,33 @@
-from flask import (render_template, url_for, redirect, flash, session)
+import json
+
+from flask import (render_template, url_for, redirect, flash, session, current_app, abort)
+from itsdangerous import SignatureExpired
 
 from app.main import main
 from app.main.dao import users_dao
 from app.main.forms import NewPasswordForm
-from app.notify_client.sender import check_token
+from datetime import datetime
 
 
 @main.route('/new-password/<path:token>', methods=['GET', 'POST'])
 def new_password(token):
-    email_address = check_token(token)
-    if not email_address:
+    from utils.url_safe_token import check_token
+    try:
+        token_data = check_token(token, current_app.config['SECRET_KEY'], current_app.config['DANGEROUS_SALT'],
+                                 current_app.config['TOKEN_MAX_AGE_SECONDS'])
+    except SignatureExpired:
         flash('The link in the email we sent you has expired. Enter your email address to resend.')
         return redirect(url_for('.forgot_password'))
 
+    email_address = json.loads(token_data)['email']
     user = users_dao.get_user_by_email(email_address=email_address)
-    if user and user.state != 'request_password_reset':
-        flash('The link in the email we sent you has already been used.')
-        return redirect(url_for('.index'))
+    # TODO: what should this be??
+    if not user:
+        abort(404, 'user not found')
+    if user.password_changed_at and datetime.strptime(user.password_changed_at, '%Y-%m-%d %H:%M:%S.%f') > \
+            datetime.strptime(json.loads(token_data)['created_at'], '%Y-%m-%d %H:%M:%S.%f'):
+        flash('The link in the email has already been used')
+        return redirect(url_for('main.index'))
 
     form = NewPasswordForm()
 
@@ -26,7 +37,6 @@ def new_password(token):
             'id': user.id,
             'email': user.email_address,
             'password': form.new_password.data}
-        users_dao.activate_user(user)
         return redirect(url_for('main.two_factor'))
     else:
         return render_template('views/new-password.html', token=token, form=form, user=user)